Security: --env-all exposes secrets to prompt-injected agent in pull_request_target workflows

[deyaaeldeen]

Summary

When a workflow uses pull_request_target and checks out the PR branch, the agent container receives all environment variables via --env-all on the awf command. This includes:

• COPILOT_GITHUB_TOKEN
• GITHUB_MCP_SERVER_TOKEN (or GH_AW_GITHUB_TOKEN / GITHUB_TOKEN fallback)

Since the agent has bash access and operates on untrusted PR content, a prompt-injection attack could cause the agent to run env or printenv and exfiltrate these tokens via allowed channels (PR comments, repo-memory artifacts, raw.githubusercontent.com).

Relevant lock file context

# Agent execution (archie.lock.yml ~line 639)
sudo -E awf --env-all --container-workdir "\${GITHUB_WORKSPACE}" \\
  --enable-host-access --allow-all-tools --allow-all-paths \\
  -- /bin/bash -c '/usr/local/bin/copilot ...'

# Secrets in env (archie.lock.yml ~line 641-655)
env:
  COPILOT_GITHUB_TOKEN: \${{ secrets.COPILOT_GITHUB_TOKEN }}
  GITHUB_MCP_SERVER_TOKEN: \${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

Proposed fixes (in order of preference)

1. File-based token injection — mount tokens as files with restricted permissions that the Copilot CLI reads internally but bash tools cannot access
2. Selective env passing — use --env <name> for each needed var instead of --env-all, excluding secret-containing vars from the agent's bash environment
3. Frontmatter opt-out — provide a way for workflow authors to opt out of --env-all

Impact

Any gh-aw workflow using pull_request_target + bash: true + PR checkout is affected. The team-member gate on pre_activation is the primary defense, but if a team member labels a malicious fork PR without inspecting it, the tokens are accessible.

Environment

• gh-aw v0.64.1